NHS Data Security and Protection Toolkit application

The Data Security and Protection Toolkit (DSPT) is a standard against which all organisations processing NHS patient data, or who have access to national informatics services, need to adhere to (beyond NHS organisations themselves). Here in the University, it is by and large unknown to all, but a select few units and research groups, either those who need to conduct research without participant consent (under Common Law Duty of Confidentiality), or those who need access to identifiable (or linked) patient data from NHS Digital, the National Custodian for patient data within England.

At a glance:

 Ensure you know whether you need to have a toolkit

 Define the scope of the toolkit

 Assign responsibility and resource for undertaking toolkit application

 Contact us for information and guidance at grc@infosec.ox.ac.uk


Requirements for toolkit

As you embark on a toolkit submission mission, you will find that there are requirements above and beyond what is mandated for by the University. This is because we are obligated to maintain the same level of assurance as the National Health Service (as outlined in the data security standards) when handling health and social care information for research, and play our part in maintaining the public trust in the health service and in research as a community.


One of the most important decisions you’ll need to make when embarking on a toolkit completion is the scope. You may wish to undertake toolkit submission as a single research group, as a unit that undertakes high risk research activities within the department, or simply as a collection of research projects operating under the same policies. Either way, NHS Digital can facilitate either approach technically.

Contractually speaking, NHS Digital can audit the University on a number of levels: either by a Data Sharing Agreement (DSA) which was agreed when requesting data, or by a DSPT which can cover more than one data sharing agreement, or more than one research group. The worst case scenario is that they may invoke their right to refuse further sharing of data based on the audit results. You must then ask yourself what impact it will have on research activities if this happens (even though this may be unlikely), and decide whether to accept the risk, or alternately reduce the risk by controlling the toolkit scope.

Information security good practice is to always start with a tightly controlled environment, then expand out, rather than having everything within the scope (without having clear understanding of the compliance status of each of the projects).

As this is a compliance activity, knowing exactly what data flows need to adhere to the toolkit is key to understanding and managing the risk within your unit.

Taking ownership and assigning responsibilities

Once you’ve understood the scope of activities that need to be compliant with the toolkit, you can then map out the roles and responsibilities for managing compliance. You will need to assign responsibility for Senior Information Risk Owner (SIRO), Caldicott Guardian should it be applicable, as well as the role of Information Governance (IG) Lead.

It is possible to create additional roles that could supplement this framework by assigning Information Asset Owners (IAO), and Information Asset Administrators (IAA) (where a toolkit covers more than one Data Sharing Agreement). They may have hands-on knowledge of the project, and data flows and may be in a better position to provide information around local incidents and assets and software used to process the data provided by NHS Digital.

These roles may sit at the departmental level, or across research themes. Either way, the overall organisational line of accountability for information risk is essential.

Getting started

We are working with the Information Compliance team and the Data Privacy Champion to co-ordinate the collection and dissemination of answers that are applicable at a University level. This will be published here in due course. Please get in touch at grc@infosec.ox.ac.uk should you have any further enquiries.

What you need to do

Hints and Tips

Check whether there is a toolkit already in place for your unit

If you do, get in touch with the unit head to discuss how to work under the toolkit policies and procedures


If not, you will need to create a new toolkit


Register for an account within the toolkit

You will need your Organisation Code as per NHS, which can be found here

You will need to register as a researcher/department

A University, as per the toolkit, is classified as a large organisation, with all its health and social care data in scope. A researcher/department allows you to define the scope more tightly, and to have to comply with less assertions, due to the lower level of risk within a ‘small organisation’.

You will automatically be assigned the main applicant, or the toolkit owner

Please ensure that the ownership of the toolkit is assigned to the right individual

As the toolkit owner, you then can create further accounts (if needed)

You may wish to use this feature if you have a number of people (i.e. an IG lead, a compliance, or privacy officer, and a research facilitator or IT manager) all working on the same toolkit application, each with their own set of assertions they need to respond to

You can also assign each staff/ individual working on the toolkit assertions in particular

The staff members, once created, can then be assigned these assertions, so that they can add in the information directly on the system. Alternately you can do this offline as well.

Complete the assertions as applicable to the toolkit as a 'researcher/department' (small organisation)

Answers that can be answered across the University have been added to the MSD IGO sharepoint for DSPT, along with links for evidencing and template materials which can be accessed to complete the toolkit.


What is it?

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. It is mandatory for all Health and Social Care organisations to undertake this. In the University, it is necessary to have a DSPT in place if you wish to apply for Confidentiality Advisory Group (CAG) approval, or if you wish to use data from NHS Digital (beyond pseudonymised Hospital Episode Statistics).

Where does the DSPT fit in?

The University has an existing Data Sharing Framework Agreement with NHS Digital, which outlines the overarching agreement between the two organisations to handle patient data with appropriate care and diligence. A toolkit application, at the next level down, enables a unit or research group to demonstrate compliance with the standards outlined in the toolkit. Not everyone needs to abide by this, because it applies to health and social care data collected by the NHS. Because of the elevated level of risk pertaining to patient data, all organisations using NHS data (disseminated by NHS Digital) need to also adhere to the same standard, in order to maintain the public trust in health information. Once the toolkit application is completed to a satisfactory standard, one can apply to use personal and identifiable information via an application to NHS Digital for data (via Data Access Request Service) or support a Confidentiality Advisory Group application to establish the need for data without participant consent.

The 10 Data Security Standards

The National Data Guardian’s Review of Data Security, Consent and Opt-Outs sets out ten data security standards clustered under three leadership obligations to address people, process and technology issues. The Data Security and Protection Toolkit is largely seen as a way to embed the standards into every day working practices.

Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.

Data Security Standard 1

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes


Data Security Standard 2

All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches

Data Security Standard 3

All staff complete appropriate annual data security training and pass a mandatory test, provided through the DSPT



Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.

Data Security Standard 4

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals


Data Security Standard 5

Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security


Data Security Standard 6

Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection (NB: University requires incidents to be reported to oxcert@infosec.ox.ac.uk within 4 working hours of discovery).


Data Security Standard 7

A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management


Leadership Obligation 3: Technology: ensure technology is secure and up-to-date.

Data Security Standard 8

No unsupported operating systems, software or internet browsers are used within the IT estate. Data Security Standard Overall Guide


Data Security Standard 9

A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually


Data Security Standard 10

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards